G Suite admins get restricted security code option

Earlier this year, Google provided G Suite admins and users with a new 2FA option: one-time security codes based on security keys.

Now it offers an new option to make them more secure: admins can limit their use to the same device and/or local network on which they were generated.

What’s a security code?

“A security code is a one-time use code, generated using a security key, that can be used to log in on legacy platforms where security keys aren’t supported directly,” Google explained.

“While most modern systems support the use of security keys, some do not. For example, security keys often don’t work with Internet Explorer and Safari, iOS apps, remote desktops, and legacy applications that don’t support FIDO protocols.”

When needing to log securely in to such an app, the user can open a Chrome browser and generate a security code with their key, and the security code can then be entered into the app.

The new option

Previously, G Suite admins could either:

• Disallow users to generate security codes or
• Permit users to generate security codes and use them on the same device or local network (NAT or LAN), as well as other devices or networks (e.g., when accessing a remote server or a virtual machine).

The new, third option permits users to generate security codes and use them only on the same device or local network (NAT or LAN). This is now the default setting for new G Suite customers.

When it introduced security codes, Google warned admins to carefully evaluate if their organization needs them before enabling their creation.

“Using security keys without security codes helps to provide maximum protection against phishing. However if your organization has important workflows where security keys can’t be used directly, enabling security codes for those situations may help improve your security posture overall,” the company noted.

The new option was provided because they’ve observed that security codes are most commonly used with applications that use legacy authentication on devices that are capable of supporting Chrome or other browsers that allow security keys.

“The new restricted security code option allows that use case to be satisfied while reducing some potential vulnerabilities,” they explained.

The use of security codes can be controlled separately for users in the Advanced Protection Program for the enterprise (Admin console > Security > Advanced Protection Program).